As you probably know, email accounts are a desirable target for hackers and phishers, making them a high-risk factor in small and midsize businesses (SMBs). In fact, the two are often side-by-side: attackers like hacking accounts to propagate scams. They make it appear legitimate by posing as the owner of the account they just hacked. In response, Yahoo! recently introduced two-step authentication to their mail service. However, depending on your situation, it may seem too little too late, as these methods are pretty stale.

Yahoo! Adopts Old Methods

When Yahoo doesn't recognize the device you are logging in from, it requires you to answer your security question. It also gives you the option to have a code sent to your mobile phone via text, which you would then use to verify your log-in, making both of the "new" Yahoo! security measures sigh-worthy at best. According to Yahoo!, adding your mobile phone number is mandatory; while this is a relatively new feature, Gmail has asked users to do the same for security purposes for several months, and the option has been around longer than that.

Security questions have been around for ages. Though they have typically been reserved for recovering passwords, it's not unheard of for email providers to use them for validating. More importantly, hackers have been aware of this method for a while, which means they've had plenty of time to potentially adapt and develop work-arounds. If Yahoo! was trying to innovate or make a serious attempt at preventing hacks, they should have chosen something fresher and fully baked.

Whom the Two-Step Authentication Affects

Still, Yahoo! didn't make such a bad move. If you're an IT pro who deals with Yahoo! mail accounts at your SMB, this is good news. Ultimately, the value of this event depends on whom you're targeting. For instance, if you're trying to gain more users and be a leader in the industry, then this isn't meaningful. However, if you're just trying to protect your current user base and keep up with the competition, this is a solid move.

Conversely, this doesn't address the issue of staying at least one step ahead of hackers. Even Gmail, which has had the mobile phone verification option for a while, hasn't implemented anything truly innovative yet. It might stump the average scammer, but it's not going to protect you from everyone, especially since Yahoo! gives you the option to answer a security question instead. You won't thwart attackers by adding a phone number you only have to verify once if they've cracked your security question. It would have made more sense for them to only offer verification code authentication via SMS. Though it's not completely impervious, it's a lot less likely that a hacker will reroute your employees' verification codes to a dummy handset than it is that they will dig for a little personal information to crack employees' security questions. Social media has made it easier for anyone to find basic personal information, and left to their own devices, people will choose simple questions and answers just as they choose simple passwords, as discussed in another Infoboom article.

Conclusively, this two-step authentication only activates when it doesn't recognize the device. If a hacker somehow gains access to a corporate computer or an employee's personal device, it won't matter. Though this isn't particularly likely, it proves email providers still have a lot of room to grow before IT pros won't have to worry about even the littlest things like email on a daily basis.